Cyber AI Code Reviewer

Overview

The Cyber AI Code Reviewer is an AI-powered security code review system that automatically analyzes GitHub pull requests inside an isolated container environment. When a developer opens or updates a pull request, the reviewer spins up a secure, ephemeral container to inspect the code changes, identifies security vulnerabilities, and posts actionable feedback directly on the PR — all without requiring manual intervention from a security team.

How It Works

The review process follows five key steps:

  1. PR Opened / Webhook Triggers — A GitHub webhook fires when a pull request is opened, updated, or synchronized, notifying the review service.
  2. Container Pulls PR Diff — An isolated review container is launched and retrieves the pull request diff along with relevant file context from the repository.
  3. AI Analyzes Against OWASP/NIST/CWE — The AI engine performs deep analysis of the code changes, evaluating them against OWASP Top 10, NIST guidelines, and the CWE vulnerability taxonomy.
  4. Structured Findings Generated — Detected issues are formatted into structured findings with severity ratings, descriptions, references, and remediation guidance.
  5. Inline Comments Posted — The findings are posted as inline review comments directly on the relevant lines of the GitHub pull request.

Architecture Overview

The system uses a containerized architecture where each review runs in isolation. The review container communicates with the AI analysis engine and persists results to a PostgreSQL database for historical tracking and metrics.

GitHub Webhook
      |
      v
Review Container
      |
      v
Claude AI Analysis
      |
      v
GitHub PR Comments

      [PostgreSQL] <-- tracking, audit logs, metrics

Each container is ephemeral: it is created for a single review, processes the diff, posts findings, and is then destroyed. PostgreSQL stores a record of every review, finding, and comment for compliance and trend analysis.

AI Code Analysis Workflow

The AI analysis proceeds through four distinct phases:

  1. Diff Extraction — The raw diff from the pull request is parsed to identify added, modified, and deleted lines, along with affected file paths and line numbers.
  2. Context Gathering — Surrounding code context is retrieved for each changed region, including imports, function signatures, class definitions, and related configuration files to provide the AI with a complete picture.
  3. Security Analysis — The AI engine evaluates the code against known vulnerability patterns, insecure coding practices, and compliance frameworks (OWASP, NIST, CWE). It considers data flow, trust boundaries, and potential attack vectors.
  4. Finding Generation — Identified issues are compiled into structured findings, each with a severity level, description, affected file and line, category, remediation steps, and references to relevant standards.

Security Issue Detection

The Cyber AI Code Reviewer detects a wide range of security vulnerability categories, including:

  • Injection — SQL injection, OS command injection, LDAP injection
  • Cross-Site Scripting (XSS) — Reflected, stored, and DOM-based XSS
  • Authentication and Authorization Flaws — Weak authentication, missing authorization checks, privilege escalation
  • Insecure Deserialization — Untrusted data deserialization leading to remote code execution or tampering
  • Hardcoded Secrets — API keys, passwords, tokens, and credentials embedded in source code
  • Sensitive Data Exposure — Logging of sensitive information, unencrypted data storage, PII leakage
  • Input Validation — Missing or insufficient validation of user-supplied input
  • Cryptographic Weaknesses — Use of weak algorithms, improper key management, insufficient entropy
  • Broken Access Control — IDOR, path traversal, missing function-level access control
  • Server-Side Request Forgery (SSRF) — Unvalidated URLs or endpoints that allow internal network access

Integration with Pull Requests

The reviewer integrates with GitHub via a GitHub App or Personal Access Token (PAT) authentication. Once configured, it automatically receives webhook events for pull request activity and posts review comments inline on the affected code.

Each inline comment includes:

  • Severity — Critical, High, Medium, or Low
  • Description — A clear explanation of the vulnerability and its potential impact
  • OWASP/NIST Reference — Links to the relevant security standard or guideline
  • Remediation — Specific steps or code changes to fix the issue

Example Workflow

Below is an example of a structured finding generated by the Cyber AI Code Reviewer when it detects a SQL injection vulnerability in a pull request:

{
  "file": "src/api/users.py",
  "line": 42,
  "severity": "Critical",
  "category": "SQL Injection",
  "description": "User-supplied input is concatenated directly into a SQL query string without parameterization, allowing an attacker to execute arbitrary SQL commands.",
  "remediation": "Use parameterized queries or an ORM to safely handle user input. Replace string concatenation with placeholders (e.g., cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,))).",
  "references": [
    "CWE-89: Improper Neutralization of Special Elements used in an SQL Command",
    "OWASP A03:2021 - Injection",
    "NIST SP 800-53 SI-10: Information Input Validation"
  ]
}

Developer Experience

The Cyber AI Code Reviewer is designed to enhance, not interrupt, the developer workflow:

  • Non-blocking reviews — Reviews run asynchronously and do not block the pull request from being merged. Findings are advisory, giving developers the context they need to make informed decisions.
  • Actionable feedback — Every finding includes a clear description of the issue, why it matters, and what to do about it. No vague warnings or false-positive noise.
  • Secure code examples — Where applicable, remediation guidance includes concrete code examples showing the secure alternative.
  • Links to standards — Each finding references the relevant OWASP, NIST, or CWE standard, making it easy for developers to learn more and understand the broader security context.